b"           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n     UNIVERSITIES\xe2\x80\x99 USE OF SOCIAL\n    SECURITY NUMBERS AS STUDENT\n      IDENTIFIERS IN REGION VIII\n\n    March 2005     A-04-05-15039\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration's programs, operations, and management and in\nour own office.\n\x0c                                        SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:   March 21, 2005                                                            Refer To:\n\nTo:     James C. Everett\n        Regional Commissioner\n         Denver\n\nFrom:   Inspector General\n\nSubject: Universities\xe2\x80\x99 Use of Social Security Numbers as Student Identifiers in Region VIII\n        (A-04-05-15039)\n\n\n        OBJECTIVE\n        Our objective was to assess universities\xe2\x80\x99 use of Social Security numbers (SSN) as\n        student identifiers and the potential risks associated with such use.\n\n        BACKGROUND\n        Millions of students enroll in educational institutions each year. To assist in this\n        process, many colleges and universities use students\xe2\x80\x99 SSNs as personal identifiers.\n        The American Association of Collegiate Registrars and Admissions Officers found that\n        half of member institutions that responded to a 2002 survey used SSNs as the primary\n        student identifier.1 Although no single Federal law regulates overall use and disclosure\n        of SSNs by colleges and universities, the Privacy Act of 1974, the Family Educational\n        Rights and Privacy Act, and the Social Security Act contain provisions that govern the\n        disclosure and use of SSNs. See Appendix A for more information on the specific\n        provisions of these laws.\n\n        POTENTIAL RISKS ASSOCIATED WITH COLLECTING AND USING SSNs\n\n        While the schools we selected did not report any instances of identity theft or fraud,\n        many universities\xe2\x80\x99 collection and use of SSNs entail certain risks. Each time an\n        individual divulges his or her SSN, the potential for a thief to illegitimately gain access to\n        bank accounts, credit cards, driving records, tax and employment histories and other\n        private information increases. We believe the following examples illustrate students\xe2\x80\x99\n\n        1\n         Academic Transcripts and Records: Survey of Current Practices, April 2002 Special Report, the\n        American Association of Collegiate Registrars and Admissions Officers.\n\x0cPage 2 \xe2\x80\x93 James C. Everett\n\n\nrisk of exposure to such activity. Because many universities still use SSNs as the\nprimary identifier, students\xe2\x80\x99 exposure to identity theft and fraud remains today.\n\n\xe2\x80\xa2   A university professor in Washington was indicted on 33 counts of mail fraud in a\n    scam using students\xe2\x80\x99 SSNs. The professor allegedly accessed the university\xe2\x80\x99s\n    records system and used students\xe2\x80\x99 information to obtain new SSN cards by posing\n    as a parent. The professor then allegedly used the SSNs to obtain credit cards and\n    birth certificates.\n\n\xe2\x80\xa2   California authorities arrested a man suspected of stealing the names and SSNs of\n    150 college students and using that information to obtain credit cards and charge\n    more than $200,000 in the students\xe2\x80\x99 names.\n\n\xe2\x80\xa2   A student at a Texas university was accused of hacking into the school\xe2\x80\x99s computer\n    network and downloading the names and SSNs of more than 55,000 students,\n    faculty, and alumni.\n\n\xe2\x80\xa2   A gentleman discovered a computer printout in a trash bin near a Pennsylvania\n    university listing SSNs and other personal data for hundreds of students.\n\nSCOPE AND METHODOLOGY\n\nWe selected a sample of 12 educational institutions in Region VIII.2 For each selected\nschool, we interviewed university personnel and reviewed school policies and practices\nfor using SSNs. See Appendices B and C for additional details regarding the scope and\nmethodology of our review and a list of the universities we contacted, respectively.\n\nRESULTS OF REVIEW\nBased on our interviews with university personnel and reviews of school policies and\npractices, we are concerned about universities\xe2\x80\x99 use of SSNs as student identifiers. We\nidentified several instances in which universities used SSNs as the primary student\nidentifier or for other purposes, even when another identifier would suffice. However,\nwe are encouraged that officials from many of the universities we contacted shared our\nconcern and stated that their universities had taken, or were planning to take, steps to\nreduce SSN use as the primary student identifier.\n\n\n\n\n2\n Region VIII consists of the following six States: Colorado, Montana, North Dakota, South Dakota, Utah\nand Wyoming.\n\x0cPage 3 \xe2\x80\x93 James C. Everett\n\n\nCOLLEGES AND UNIVERSITIES CONTINUE TO USE THE SSN AS AN IDENTIFIER\n\nDespite the increasing threat of identity theft, some colleges and universities continue to\nuse the SSN for several purposes, particularly as the primary student identifier. Our\nvisits to 6 colleges and universities and telephone interviews with 6 others revealed that\nthe SSN was used as the student identifier by 6 of the 12 universities we contacted in\nRegion VIII. The following table identifies some uses of the SSN at the universities and\ncolleges contacted and our related concerns.\n\n                           SSN Use and Related Concerns\n           SSN USE                                         CONCERN\nClass Registration:               The paper registration process unduly discloses the SSN\nAt several institutions,          to university/college registrar employees throughout the\nstudents must disclose their      process. The on-line registration process generally\nSSNs to register for courses      results in electronic databases that identify students by\n(on-line or paper form            SSN. Without strict application controls, individuals\xe2\x80\x99\nregistration processes).          SSNs could be compromised.\nClass Rosters:                    Listing SSNs on class rosters with students\xe2\x80\x99 names\nClass rosters at some             exposes the SSN to university employees. At a\nuniversities and colleges         minimum, the practice makes SSNs available to\nlisted the students\xe2\x80\x99 SSNs         instructors. If instructors do not adequately safeguard\nand names.                        class rosters, students\xe2\x80\x99 names and SSNs could be\n                                  vulnerable to unauthorized access.\nComputer Login:                   Students\xe2\x80\x99 SSNs are susceptible to unauthorized\nStudents must enter their         disclosure during the log-in process. At one\nSSNs to log into computers        university/college, the SSN was displayed on the\nat several of the colleges        computer monitor during the log-in process. Computer\nand universities.                 users accustomed to the process could visually obtain an\n                                  SSN when a student logs on.\nClass Grade Reports:              Listing SSNs and students\xe2\x80\x99 names on class grade reports\nInstructors at some of the        discloses the SSN to university/college employees. This\nuniversities and colleges         weakens institutional control over the SSN.\nreported final grades to the\nregistrar\xe2\x80\x99s office by students\xe2\x80\x99\nSSNs.\nOverdue Library Book              The paper record of overdue books containing student\nReports: At one                   names and SSNs increases SSN exposure to library staff\nuniversity/college, library       and other individuals in the work area. Additionally, the\nstaff maintained overdue          electronic database used to develop the overdue book\nlibrary book records that         record contained the students SSNs. Without strict\nidentified the delinquent         application controls the SSN could be electronically\nstudent by name and SSN.          compromised.\n\x0cPage 4 \xe2\x80\x93 James C. Everett\n\n\nThe institutions that continued to employ the SSN as a primary student identifier\nrecognized the risks associated with this practice and had adopted plans to issue a non-\nSSN student identifier by the fall 2006 semester. This change will eliminate universities\xe2\x80\x99\nand colleges\xe2\x80\x99 use of the SSN as a student identifier.\n\nSome universities and colleges in Region VIII had already initiated actions to phase out\nthe SSN as a primary student identifier. For example, one university recently\nredesigned its student information system with the capability to assign and use\nnon-SSN student identification numbers. With the redesigned system, the university\nbegan issuing randomly generated student identification numbers to all new students\nregistering for the fall 2003 semester. Students enrolled before fall 2003 will be issued\na non-SSN student identifier system starting with the spring 2006 semester. The\nRegistrar stated that, although considerable costs were being incurred in transitioning to\nnon-SSN student identification numbers, university officials fully supported the change,\nas they recognized the importance of protecting students\xe2\x80\x99 personal identities.\nAdditionally, the Registrar stated the university was trying to increase awareness\nregarding the need to protect the SSN along with other sensitive, personally identifiable\ninformation.\n\nAll of the colleges and universities we contacted recognized the importance of\nprotecting students\xe2\x80\x99 identities along with restricting the use of the SSN as a student\nidentifier. However, officials at several of these institutions cited funding limitations as a\nhurdle in implementing changes to information systems that would enable the transition\nto non-SSN student identification numbers. According to these officials, costly\nenhancements to existing information systems or the implementation of a new student\ninformation system is often necessary to support the replacement of the SSN as the\nprimary student identifier. Although funding issues were identified as a roadblock to\ntransitioning away from using the SSN as an identifier, institutions using the SSN as a\nprimary identifier are now prepared to incur the costs and accept the challenges\nassociated with assigning and managing non-SSN student identification numbers.\n\nWe did not identify instances in which students\xe2\x80\x99 SSNs were misused at the colleges and\nuniversities interviewed. However, we believe the potential for misuse is greater at\nthose universities that continue to use the SSN as the primary student identifier. We\nare encouraged that colleges and universities using the SSN as the primary student\nidentifier have adopted plans to eliminate this practice and will only use it for financial\naid and tax purposes. The institutions we contacted acknowledged the risks of using\nthe SSN and will strive to limit SSN exposure.\n\x0cPage 5 \xe2\x80\x93 James C. Everett\n\n\nCONCLUSION AND RECOMMENDATIONS\nDespite the potential risks associated with using SSNs as primary student identifiers,\nsome colleges and universities in Region VIII continued this practice. While we\nrecognize SSA cannot prohibit colleges and universities from using SSNs as student\nidentifiers, we believe SSA can help reduce potential threats to SSN integrity by\nencouraging schools to limit SSN collection and use. We also recognize the challenge\nof educating such a large number of educational institutions. However, given the\npotential threats to SSN integrity, such a challenge should not discourage SSA from\ntaking steps to safeguard SSNs. Accordingly, we recommend that SSA:\n\n1. Coordinate with colleges/universities and State/regional educational associations to\n   educate the university community about the potential risks associated with using\n   SSNs as student identifiers.\n\n2. Encourage colleges and universities to limit their collection and use of SSNs.\n\n3. Promote the best practices of educational institutions that no longer use SSNs as\n   student identifiers.\n\nAGENCY COMMENTS\n\nSSA agreed with our recommendations. We believe SSA\xe2\x80\x99s response and planned\nactions adequately address our recommendations and will help strengthen SSN\nintegrity. The full text of SSA\xe2\x80\x99s comments is included in Appendix D.\n\n\n\n\n                                                S\n                                                Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                         Appendices\nAPPENDIX A \xe2\x80\x93 Federal Laws that Govern Disclosure and Use of the Social Security\n             Number\n\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX C \xe2\x80\x93 Educational Institutions Contacted\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                                    Appendix A\n\nFederal Laws that Govern Disclosure and Use\nof the Social Security Number\nThe following Federal laws establish a general framework for disclosing and using the\nSocial Security number (SSN).\n\nThe Privacy Act of 1974 (5 U.S.C. \xc2\xa7 552a; Pub. L. No. 93-579, \xc2\xa7\xc2\xa7 7(a) and 7(b))\n\nThe Privacy Act of 1974 provides that it is unlawful for a State government agency to\ndeny any person a right, benefit, or privilege provided by law based on the individual\xe2\x80\x99s\nrefusal to disclose his/her SSN, unless such disclosure was required to verify the\nindividual\xe2\x80\x99s identity under a statute or regulation in effect before January 1, 1975.\nFurther, under Section 7(b), a State agency requesting that an individual disclose\nhis/her SSN must inform the individual whether the disclosure is voluntary or\nmandatory, by what statutory or other authority the SSN is solicited, and what uses will\nbe made of the SSN.\n\nThe Family Educational Rights and Privacy Act (20 U.S.C. \xc2\xa7 1232g; 34 C.F.R. Part 99)\n\nThe Family Educational Rights and Privacy Act (FERPA) protects the privacy of student\neducation records. FERPA applies to those schools that receive funds under an\napplicable program of the U.S. Department of Education. Under FERPA, an\neducational institution must have written permission from the parent or eligible student\nto release any personally identifiable information (which includes SSNs) from a\nstudent\xe2\x80\x99s education record.1 FERPA does, however, provide certain exceptions in\nwhich a school is allowed to disclose records without consent. These exceptions\ninclude disclosure without consent to university personnel internally who have a\nlegitimate educational interest in the information, to officials of institutions where the\nstudent is seeking to enroll/transfer, to parties to whom the student is applying for\nfinancial aid, to the parent of a dependent student, to appropriate parties in compliance\nwith a judicial order or lawfully issued subpoena, or to health care providers in the event\nof a health or safety emergency.\n\n\n\n\n1\n  FERPA gives parents certain rights with respect to their children\xe2\x80\x99s education records. These rights\ntransfer to the child when the child reaches the age of 18 or attends an institution of postsecondary\neducation. Children that have been transferred rights are referred to as \xe2\x80\x9celigible students.\xe2\x80\x9d\n\n\n                                                   A-1\n\x0cThe Social Security Act\n\nThe Social Security Act provides that \xe2\x80\x9cSocial Security account numbers and related\nrecords that are obtained or maintained by authorized persons pursuant to any\nprovision of law, enacted on or after October 1, 1990, shall be confidential, and that no\nauthorized person shall disclose any such Social Security account number or related\nrecord.\xe2\x80\x9d (42 U.S.C. \xc2\xa7405(c)(2)(C)(viii)). The Social Security Act also provides that\n\xe2\x80\x9c[w]hoever discloses, uses, or compels the disclosure of the Social Security number of\nany person in violation of the laws of the United States; shall be guilty of a felony\xe2\x80\xa6\xe2\x80\x9d (42\nU.S.C. \xc2\xa7408(a)(8)).\n\n\n\n\n                                            A-2\n\x0c                                                                        Appendix B\n\nScope and Methodology\nTo accomplish our objective, we\n\n\xe2\x80\xa2   interviewed selected university personnel responsible for student\n    admissions/registrations;\n\n\xe2\x80\xa2   reviewed Internet websites of the 12 colleges and universities we contacted;\n\n\xe2\x80\xa2   reviewed applicable laws and regulations; and\n\n\xe2\x80\xa2   reviewed selected studies, articles and reports regarding universities\xe2\x80\x99 use of Social\n    Security numbers (SSN) as student identifiers.\n\nWe visited six educational institutions and interviewed personnel at six others to learn\nmore about their policies and practices for using SSNs as student identifiers. Our\nreview of internal controls was limited to gaining an understanding of universities\xe2\x80\x99\npolicies over the collection, protection and use/disclosure of SSNs. The Social Security\nAdministration entity reviewed was the Office of the Deputy Commissioner for\nOperations. We conducted our audit from June through September 2004 in accordance\nwith generally accepted government auditing standards.\n\x0c                                                                                 Appendix C\n\nEducational Institutions Contacted\nWe interviewed personnel at 12 educational institutions in Region VIII. The following\ntable shows the names and locations of these schools as well as their total student\nenrollments.\n\n\n                           School                            Location                  Student\n                                                                                      Enrollment\n\n    1      Augustana College                        Sioux Falls, South Dakota            1,812\n\n    2      College of Eastern Utah                  Price, Utah                          1,924\n\n    3      Dawson Community College                 Glendive, Montana                     389\n\n    4      Jamestown College                        Jamestown, North Dakota              1,137\n\n    5      Laramie County Community College         Cheyenne, Wyoming                    2,800\n\n    6      South Dakota State University            Brookings, South Dakota              9,690\n\n    7      University of Colorado, Boulder          Boulder, Colorado                    30,767\n\n    8      University of Denver                     Denver, Colorado                     8,295\n\n    9      University of Montana, Missoula          Missoula, Montana                    13,032\n\n   10      University of North Dakota               Grand Forks, North Dakota            12,605\n\n   11      University of Wyoming                    Laramie, Wyoming                     12,231\n\n   12      Utah State University                    Logan, Utah                          16,318\n\nSource: We determined student enrollment by reviewing university websites or one of the following\nwebsites: www.collegeboard.com/splash or www.uscollegesearch.org.\n\x0c                                                                     Appendix D\n\nAgency Comments\n\nWednesday, March 02, 2005\n\nThank you for the opportunity to review the draft OIG report on the use of Social\nSecurity Numbers (SSN) as student identifiers by universities. This report was well\nwritten and provided valuable information to us.\n\nWe agree with all three recommendations made regarding the need for outreach to the\nuniversities and colleges to promote limiting the use of the SSN. Some of our\nmanagers are already working with their local colleges to establish a new procedure.\nRecommendations 1 and 2 could be considered one step \xe2\x80\x93 working with the local\ncontacts to understand the risks associated with using the SSN and encourage them to\nlimit the collection and use of SSNs.\n\nWe believe these recommendations are worthwhile. We consider this an ongoing\nproject as contacts are made with the colleges by our managers or Public Affairs\nSpecialists. Also, we encourage these recommendations be made at a national level, as\nthis is a national problem. Several of these actions can be implemented nationally to\nbenefit everyone.\n\nIf your staff has any questions regarding these comments, they can contact Debbie\nSweeney, RSI Programs Branch, at (303) 844-5719.\n\n\nJames C. Everett\nRegional Commissioner\nDenver\n\x0c                                                                       Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kimberly A. Byrd, Director, (205) 801-1605\n\n   Frank Nagy, Deputy Director, (404) 562-5552\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Phillip Krieger, Auditor-in-Charge\n\n   Kimberly Beauchamp, Writer/Editor\n\nFor additional copies of this report, please visit our web site at www.ssa.gov/oig or\ncontact the Office of the Inspector General\xe2\x80\x99s Public Affairs Specialist at (410) 965-3218.\nRefer to Common Identification Number A-04-05-15039.\n\x0c                           DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Executive Operations (OEO). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                               Office of Executive Operations\nOEO supports OIG by providing information resource management and systems security. OEO\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, OEO is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c"